Re: nftables portmap map

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, 23 Dec 2024 at 15:34, Antonio Ojea
<antonio.ojea.garcia@xxxxxxxxx> wrote:
>
> >> nft add rule inet cni-kindnet prerouting dnat to ip daddr . ip protocol . th dport map @hostport-map-v4
>
> >
> > Strange, this version does work for me.
> >
> > table inet cni-kindnet {
> >         map hostport-map-v4 {
> >                 type ipv4_addr . inet_proto . inet_service : ipv4_addr . inet_service
> >                 flags interval
> >         }
> >
> >         chain prerouting {
> >                 type nat hook prerouting priority dstnat; policy accept;
> >                 dnat ip to ip daddr . ip protocol . th dport map @hostport-map-v4
> >         }
> > }
>
> Yeah, it works for me too, it seems the difference is the "ip"
> statement after the "dnat" ... "dnat ip to ip daddr ..."
>
> Without that "ip" I can see with strace that it gets " -1 EAGAIN
> (Resource temporarily unavailable)
>
> Thanks for the help

I can not make it work for ipv6, and tried different combinations
        map hostport-map-v6 {
                type ipv6_addr . inet_proto . inet_service : ipv6_addr
. inet_service
                flags interval
        }

 nft add rule inet cni-kindnet prerouting dnat ip6 to ip6 daddr . meta
l4proto . th dport map @hostport-map-v6
Error: transport protocol mapping is only valid after transport protocol match
add rule inet cni-kindnet prerouting dnat ip6 to ip6 daddr . meta
l4proto . th dport map @hostport-map-v6
                                     ~~~~
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^




[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux